If you have attempted to test many mobile applications, you have probably been in the following situation. You have installed the app you’re trying to test, and you have your mobile device ready to use with Burp Suite. Perhaps you followed the instructions in my previous blog post here. After turning on your proxy settings and launching the app, suddenly the app isn’t working, and when you look at the logs in Burp Suite, you see errors that look like this:
This most likely means that the application that you are trying to test has SSL Pinning enabled.
What is SSL Pinning?
SSL Pinning is a security measure that a lot of mobile developers implement in their applications to help prevent man-in-the-middle attacks. This is done through a process that verifies that the application is using a legitimate certificate and blocks any traffic from a certificate that it doesn’t recognize, including proxy certificates like that one we installed from Burp Suite. Fortunately, there are a few different ways that this pinning mechanism can be bypassed, and I’m going to show you one of the most popular ways using a tool called Frida.
Installing Frida
Frida is a dynamic instrumentation tool that allows us to inject code and change the behavior of the application at runtime. There are a lot of different things that you can do with Frida, but one of the most common uses for Frida is to bypass SSL pinning. This can be done for both Android and iOS applications, but I’m just going to go over how to do it with an Android device in this blog post. For this example, I’m going to be using an Ubuntu laptop, and a rooted Android Studio emulator. This should work for MacOS and Windows systems, as well as physical Android devices.
The first thing we need to do is install the Frida CLI tools on our host system. Note that Frida does require Python to be installed on our system first, and Python 3 is recommended. Once we have Python installed, we can install the Frida CLI tools with the following command:
pip3 install frida-tools
Next we need to install the Frida server on our Android device. You can find this on the GitHub releases page. There should be several assets listed under each release on that page, so make sure you select the server file that corresponds to the architecture of your mobile device. I am using an emulator with x86_64 architecture, so I’m going to download the file named frida-server-<version number>-android-x86_64.xz.
If you are unsure, you can run the following command to check the architecture of your mobile device:
adb shell getprop ro.product.cpu.abilist
Once we download the appropriate server file, we now need to uncompress it by running:
unxz frida-server-<version>.xz
Then we need to push it to our mobile device. We may need to run adb root first if adb is not already running as root. After we have made sure that adb is running as root, we can push the server file to our mobile device with the following command:
adb push frida-server-<version> /data/local/tmp/
Once we have the server on our mobile device, we just need to set the correct permissions and then run the server. We can do this by dropping into a shell with the command adb shell and then running the following commands:
chmod 755 /data/local/tmp/frida-server-<version>/data/local/tmp/frida-server-<version> &
Note: Make sure that the versions of Frida and the Frida server that you install on your mobile device match. Some of the most common issues faced when using Frida can be solved by checking the version numbers. You can check the Frida version by running frida –version and then download the server that corresponds to that version. Alternatively, you can check the version of the server by running frida-server –version and then installing the corresponding version of frida with pip3 install frida-tools==<version number>.
After the server is installed and running on your Android device, go back to your terminal and run a quick smoke test by running the command frida-ps -Uia. This should return a list of the applications installed on the device. If it does, then we know that Frida has been installed correctly.
The Actual Bypass
Now that we have Frida installed, we can actually try to bypass SSL pinning on our target application. The pinning mechanism can be different depending on the implementation that the developer chose for that particular app, but there are a few common mechanisms that are used by most applications that use SSL pinning. For these common mechanisms, there are actually several Frida scripts that have been written over the years, and you can browse many of them on the Frida Codeshare.
The Frida Codeshare is a collection of tons of Frida scripts that have been developed by the community, and you can view the source code or even run the script without even downloading the code. If you browse the Codeshare, you will see several different scripts for bypassing SSL pinning. Feel free to try any of them that you would like, but one that I have used successfully several times in the past is Universal Android SSL Pinning Bypass 2 by sowdust. You can use this script by simply running the following command:
frida --codeshare sowdust/universal-android-ssl-pinning-bypass-2 -f YOUR_BINARY -U
For example, I am going to attempt to bypass SSL pinning on the Reddit app for Android. When I initially installed the Reddit app on my Android emulator and turned on my proxy, I immediately noticed that I wasn’t getting any network traffic in my Proxy history, and I was seeing some of those certificate errors in the Dashboard that I mentioned at the beginning. I even got an error message in the app when I attempted to login.
Lets see what happens when I run the pinning bypass. First, I need to get the package name for the Reddit application, which we can get by running that same smoke test that we ran earlier.
Now that we have the package name, let’s run the bypass!
Since we are running code from the Codeshare, Frida will ask us to confirm that we do want to run this code, but after confirming that we do in fact want to trust this script, we should now be able to navigate the Reddit app and view that network traffic in our Burp Suite proxy!
Alternatively, if we did not want to run the code directly from the Codeshare, we can also just copy and paste the code into a local file on our system and run it locally. This would also allow us to make edits or add more code to the script. In that case, our command would like something like this:
frida -l pinningbypass.js -f com.reddit.frontpage -U
…And Much More!
Although bypassing SSL pinning is one of the most popular uses for Frida, there are MANY more things that can be done with this very powerful tool. It can also be used with iOS applications and other types of hardware as well. Feel free to browse the Codeshare to get some ideas for some other potential applications for this tool. I might make more blog entries in the future about some other applications for Frida when it comes to mobile pentesting.
If you’re interested in more content about security, hacking, making, and tech, check out my YouTube channel at https://youtube.com/@CorSecure.
